SymbOS.Cabir.M

Risk Level 1: Very Low

SymbOS.Cabir.M is a proof-of-concept worm that replicates on Series 60 phones. The worm is a minor variant of SymbOS.Cabir.

The only differences are:

The worm spreads as free$8.SIS.

The worm creates the file $$$.MDL instead of FLO.MDL.

The worm creates the folder C:\SYSTEM\MALAYSIAJOHOR--jb\yuanV3-diy-by-7022207
instead of C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER.

The worm displays the following message after infection:

free$8

The worm repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device. For example, even a Bluetooth-enabled printer will be attacked if it is within range.

The worm spreads as a .SIS file, which is installed into the APPS directory. There is no payload, apart from the vastly shortened battery life caused by the constant scanning for Bluetooth-enabled devices.

Symantec recommends the following to protect against this threat:

If Bluetooth is not required, it should be turned off.

If you require the use of Bluetooth, ensure that the device's visibility setting is set to "Hidden" so that it can not be scanned by other Bluetooth devices.

Avoid use of device pairing. If it must be used, ensure that all paired devices are set to "Unauthorized". This requires each connection request to be authorized by the user.

Do not accept unsigned applications (no digital signature) or applications sent from unknown sources. Be absolutely sure of the origin of the application before accepting it.

Antivirus Protection Dates

Initial Rapid Release version January 7, 2005

Latest Rapid Release version February 19, 2013 revision 016

Initial Daily Certified version January 7, 2005

Latest Daily Certified version May 10, 2011 revision 024

Initial Weekly Certified release date January 12, 2005

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.